Mutual authentication between two entities is known in the art. For example ISO/IEC technical standard 9798-4 (hereby incorporated by reference in its entirety) describes entity authentication using cryptographic check functions. A simplified mutual authentication technique that permits subsequent secure communications using a shared encryption key is desirable for numerous applications. One application of a simplified mutual authentication technique is in personalizing payment devices and other identification devices before they are used. Once personalization information, or identifying information, has been incorporated into the device, the device may be used to, for example, purchase goods, identify the object or an individual, or for other purposes.
The process of personalization traditionally occurs at a trusted centralized location with both physical and logical controls to ensure security. For example, credit cards may begin as generic card stock with embedded security features (such as holograms) and may later be associated with identifying information to support customer identification, purchases, marketing, advertising, and other applications by embossing or writing data to the card with customer identifying information at a personalization facility. This process ensures that unscrupulous individuals do not obtain credit card stock and incorporate spurious information onto the cards. Similar techniques may be used to associate cell-phone SIM cards with a particular customer or cell-phone.
There is a need for a personalization solution that allows transaction devices such as credit or debit cards, contactless payment devices (including non-card form factors), loyalty cards or devices, integrated circuit cards, and other identification devices to be personalized in a less secure environment, such as at a point-of-sale terminal, a self-service kiosk or vending machine, in a home user's PC, or over-the-air (“OTA”) in portable devices such as cell-phones, smart phones, or personal digital assistants.